Cyber researchers sound alarm over a 15-year-old Linux kernel flaw – 'GhostLock' could let hackers seize unpatched machines in just five seconds

Researchers at Nebula said the GhostLock exploit is 97% reliable and can escape containers

A CGI visualization of a holographic red warning symbol hovering above some code on a blue background, to represent the Log4Shell vulnerability.
(Image credit: Getty Images)

Researchers at Nebula Security have discovered a Linux kernel flaw dating back to 2011 that lets any logged-in user take full root control of an unpatched machine in just five seconds.

Dubbed GhostLock (CVE-2026-43499), it was introduced in Linux 2.6.39 and fixed in Linux 7.1.

The flaw allows an unprivileged local attacker to get a dangling kernel pointer to kernel stack memory with only regular threading syscalls, write a pointer to an arbitrary address, and hijack a function table to get root access.

GhostLock has been shipped by default in every mainstream distribution since 2011, and requires no special privileges or network access. Nebula, which uncovered the flaw, said its exploit is reportedly 97% reliable and can also escape containers.

Latest Videos From

This particular flaw is the second part of an attack chain dubbed IonStack, with the first step being CVE-2026-10702, a vulnerability in Firefox that allows code execution within the browser and escapes its sandbox.

The vulnerability is rated high (7.8) as the attacker would already need to have local access to the system.

How the GhostLock flaw works

Nebula researchers said the root cause is a function reused by a caller it was never written for: the helper function remove_waiter(). During certain futex operations, it incorrectly clears a pointer associated with the currently executing task, rather than the actual waiting task.

This leaves the kernel with a dangling pointer that points to a memory location that has already been freed and reused. This allowed the Nebula team to gain full control, tricking the kernel into running their own code as the root user.

Daniel Bechenea, security manager at Pentest Tools, said the flaw is of particular concern because kernel exploits have historically carried a “real operational cost for attackers”.

“An unreliable one crashes the box and burns the access,” he explained. “An exploit that Nebula reports as 97% reliable, with public code anyone can run, changes that math.”

"As GhostLock uses a kernel vulnerability, containers also represent a juicy target for attackers as the exploit escapes the container and obtains code execution as root on the host OS, meaning that: containerised workloads that teams treat as isolated become stepping stones to the host and everything else scheduled on it."

Patch now

Systems running older kernels remain vulnerable to exploitation, according to Nebula. Researchers urged users and administrators to update to patched kernel versions as soon as possible.

"On an unpatched host, treat any code execution as root, and plan containment accordingly," advised Bechenea.

"Prioritize the systems that run untrusted or semi-trusted code by design: CI runners, container platforms, shared development machines, multi-tenant hosts, and verify the fixed kernel package version on each system rather than trusting that the April fix propagated, because with several major LTS releases still lagging in early July, attackers who land a foothold will check your kernel version even if you haven’t."

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.